Don't create devices if in a user namespace

If we are running in a user namespace, don't try to mknod as it won't be allowed. libcontainer will bind-mount the host's devices over files in the container anyway, so it's not needed. The chrootarchive package does a chroot (without mounting /proc) before its work, so we cannot check /proc/self/uid_map when we need to. So compute it in advance and pass it along with the tar options. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Upstream-commit: 617c352e9225b1d598e893aa5f89a8863808e4f2 Component: engine
2016-02-12 16:05:50 -08:00
parent 51e7a5bb32
commit cc5b6aa3dd
6 changed files with 36 additions and 6 deletions
--- a/components/engine/daemon/graphdriver/overlay/copy.go
+++ b/components/engine/daemon/graphdriver/overlay/copy.go
@ -11,6 +11,7 @@ import (

 	"github.com/docker/docker/pkg/pools"
 	"github.com/docker/docker/pkg/system"
+	rsystem "github.com/opencontainers/runc/libcontainer/system"
 )

 type copyFlags int
@ -105,6 +106,10 @@ func copyDir(srcDir, dstDir string, flags copyFlags) error {
 		case os.ModeNamedPipe:
 			fallthrough
 		case os.ModeSocket:
+			if rsystem.RunningInUserNS() {
+				// cannot create a device if running in user namespace
+				return nil
+			}
 			if err := syscall.Mkfifo(dstPath, stat.Mode); err != nil {
 				return err
 			}